ci: add snyk scanning

adding snyk github action to run when a PR is merged to the release branch or when a new release is done. Run snyk weekly on the devel branch. This will help us to track the security scanning results and fix if anything is required and also it serves as a placeholder for security scanning result for a while. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2024-11-09 16:00:22 +00:00 · 2023-11-15 09:45:45 +01:00 · 2023-11-15 09:45:45 +01:00 · 6b3665b80c
commit 6b3665b80c
parent 4ee466b4b4
1 changed files with 30 additions and 0 deletions
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@ -0,0 +1,30 @@
+---
+name: Security scanning
+# yamllint disable-line rule:truthy
+on:
+  schedule:
+    # Run weekly on every Monday
+    - cron: '0 0 * * 1'
+  push:
+    tags:
+      - v*
+    branches:
+      - release-*
+
+permissions:
+  contents: read
+
+jobs:
+  security:
+    if: github.repository == 'ceph/ceph-csi'
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: run Snyk to check for code vulnerabilities
+        uses: snyk/actions/golang@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}